Network Security - ISA 656 Application Firewalls
|
|
- Augustine Shepherd
- 7 years ago
- Views:
Transcription
1 Network Security - ISA 656 Application Angelos Stavrou August 20, 2008
2 Moving Up the Stack Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Why move up the stack? Apart from the limitations of packet filters discussed last time, firewalls are inherently incapable of protecting against attacks on a higher layer IP packet filters (plus port numbers... ) can t protect against bogus TCP data A TCP-layer firewall can t protect against bugs in SMTP SMTP proxies can t protect against problems in the itself, etc. Angelos Stavrou (astavrou@gmu.edu) 2 / 36
3 Filtering levels Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Application/proxy level firewalls FTP HTTP TELNET NFS TCP Network/packet filtering firewalls IP UDP ICMP Distributed Link layer firewalls Ethernet FDDI PPP Angelos Stavrou 3 / 36
4 Advantages Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Protection can be tuned to the individual application More context can be available You only pay the performance price for that application, not others Angelos Stavrou 4 / 36
5 Disadvantages Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Application-layer firewalls don t protect against attacks at lower layers! They require a separate program per application These programs can be quite complex They may be very intrusive for user applications, user behavior, etc. Angelos Stavrou (astavrou@gmu.edu) 5 / 36
6 Example: Protecting Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Do we protect in-bound or out-bound ? Some of the code is common; some is quite different Do we work at the SMTP level (RFC 2821) or the mail content level (RFC 2822)? What about MIME? (What about S/MIME- or PGP-protected mail?) What are the threats? Angelos Stavrou 6 / 36
7 Threats Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed The usual: defend against protocol implementation bugs Virus-scanning Anti-spam? Javascript? Web bugs in HTML ? Violations of organizational policy? Signature-checking? Angelos Stavrou 7 / 36
8 In-bound Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed is easy to intercept: MX records in the DNS route in-bound to a machine Possible to use * to refer and handle the entire domain Example: DNS records exist for gmu.edu and *.gmu.edu Net result: all for that domain is sent to a front end machine Angelos Stavrou (astavrou@gmu.edu) 8 / 36
9 Different Protection Layers Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed There are are multiple layers of protection possible here The receiving machine can filter IP Addresses from spammers, providing protection at the network layer The receiving machine can run a hardened SMTP, providing protection at the application layer Once the is received, it can be scanned at the content layer for any threats The firewall function can consist of either or both Angelos Stavrou (astavrou@gmu.edu) 9 / 36
10 Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement No help from the protocol definition here But most mailers have the ability to forward some or all to a relay host Create a policy that all mail has to pass through the relay in order to be delivered Enforce this with a packet filter... Distributed Angelos Stavrou (astavrou@gmu.edu) 10 / 36
11 Combining Firewall Types Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Use an application firewall to handle in-bound and out-bound Use a packet filter to enforce the rules Angelos Stavrou (astavrou@gmu.edu) 11 / 36
12 Firewalling Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Outside Packet Filter Inside SMTP Receiver DMZ Anti Spam Anti Virus Angelos Stavrou 12 / 36
13 Policy Enforcement Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed can t flow any other way The only SMTP server the outside can talk to is the SMTP receiver It forwards the to the anti-virus/anti-spam filter, via some arbitrary protocol That machine speaks SMTP to some inside mail gateway Note the other benefit: if the SMTP receiver is compromised, it can t speak directly to the inside Angelos Stavrou (astavrou@gmu.edu) 13 / 36
14 Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Again, we use a packet filter to block direct out-bound connections to port 25 The only machine that can speak to external SMTP receivers is the dedicated out-bound gateway That gateway can either live on the inside or on the DMZ Angelos Stavrou (astavrou@gmu.edu) 14 / 36
15 DNS Issues Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed UDP (discussed previously) Internal versus external view DNS cache corruption Optimizing DNSSEC checks Angelos Stavrou 15 / 36
16 UDP Issues Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed Remember the DNS server location discussed last time In fact, what we did there was use an application-level relay to work around packet filter restrictions We re lucky since the DNS protocol includes provision for recursion, it requires no application changes for this to work Angelos Stavrou 16 / 36
17 Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed Internal Versus External View Should outsiders be able to see the names of all internal machines? What about secretproject.foobar.com? Solution: use two DNS servers, one for internal requests and one for external request Put one on each side of the firewall Issue: which machine does the NS record for foobar.com point to, the inside or the outside server? Can be trickier than it seems must make sure that internal machines don t see NS records that will make them try to go outside directly Angelos Stavrou (astavrou@gmu.edu) 17 / 36
18 Cache Contamination Attacks Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed DNS servers cache results from queries Responses can contain additional information data that may be helpful but isn t part of the answer Send bogus DNS records as additional information; confuse a later querier Angelos Stavrou (astavrou@gmu.edu) 18 / 36
19 Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed DNS Filtering All internal DNS queries go to a DNS switch If it s an internal query, forward the query to the internal server or pass back internal NS record If it s an external query, forward the query to outside, but: Scrub the result to remove any references to inside machines Scrub the result to remove any references to any NS records; this prevents attempts to go outside directly Use a packet filter to block direct DNS communication Angelos Stavrou (astavrou@gmu.edu) 19 / 36
20 Small Application Gateways Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Some protocols don t need full-fledged handling at the application level That said, a packet filter isn t adequate Solution: examine some of the traffic via an application-specific proxy; react accordingly Angelos Stavrou (astavrou@gmu.edu) 20 / 36
21 FTP Proxy Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Remember the problem with the PORT command? Scan the FTP control channel If a PORT command is spotted, tell the firewall to open that port temporarily for an incoming connection (Can do similar things with RPC define filters based on RPC applications, rather than port numbers) Angelos Stavrou (astavrou@gmu.edu) 21 / 36
22 Attacks Via FTP Proxy Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Downloaded Java applets can call back to the originating host A malicious applet can open an FTP channel, and sea PORT command listing a vulnerable port on a nominally-protected host The firewall will let that connection through Solution: make the firewall smarter about what host and port numbers can appear in PORT commands... Angelos Stavrou (astavrou@gmu.edu) 22 / 36
23 Web Proxies Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Again, built-in protocol support Provide performance advantage: caching Can enforce site-specific filtering rules Angelos Stavrou 23 / 36
24 Application Application Modifications Adding Authentication Distributed Circuit gateways operate at (more or less) the TCP layer No application-specific semantics Avoid complexities of packet filters Allow controlled in-bound connections, i.e., for FTP Handle UDP Most common one: SOCKS. Supported by many common applications, such as Firefox and GAIM. Angelos Stavrou 24 / 36
25 Application Modifications Application Application Modifications Adding Authentication Distributed Application must be changed to speak the circuit gateway protocol instead of TCP or UDP Easy for open source Socket-compatible circuit gateway libraries have been written for SOCKS use those instead of standard C library to convert application Angelos Stavrou (astavrou@gmu.edu) 25 / 36
26 Adding Authentication Application Application Modifications Adding Authentication Distributed Because of the circuit (rather than packet) orientation, it s feasible to add authentication Purpose: extrusion control Angelos Stavrou (astavrou@gmu.edu) 26 / 36
27 Rationale Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Conventional firewalls rely on topological assumptions these are questionable today Instead, install protection on the end system Let it protect itself Angelos Stavrou 27 / 36
28 Personal Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Add-on to the main protocol stack The inside is the host itself; everything else is the outside Most act like packet filters Rule set can be set by individual or by administrator Angelos Stavrou 28 / 36
29 Saying No, Saying Yes Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed It s easy to reject protocols you don t like with a personal firewall The hard part is saying yes safely There s no topology all that you have is the sender s IP address Spoofing IP addresses isn t that hard, especially for UDP Angelos Stavrou (astavrou@gmu.edu) 29 / 36
30 Application-Linked Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Most personal firewalls act on port numbers At least one such firewall is tied to applications individual programs are or are not allowed to talk, locally or globally Pros: don t worry about cryptic port numbers; handle auxiliary ports just fine Cons: application names can be just as cryptic; service applications operate on behalf of some other application Angelos Stavrou (astavrou@gmu.edu) 30 / 36
31 Distributed Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed In some sense similar to personal firewalls, though with central policy control Use IPsec to distinguish inside from outside Insiders have inside-issued certificates; outsiders don t Only trust other machines with the proper certificate No reliance on topology; insider laptops are protected when traveling; outsider laptops aren t a threat when they visit Angelos Stavrou (astavrou@gmu.edu) 31 / 36
32 Problems with Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion Malicious Insiders Mobile Devices Dynamic Connectivity Evasion Angelos Stavrou 32 / 36
33 Malicious Insiders Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion assume that everyone on the inside is good Obviously, that s not true... Insiders can cause much more damage since there is no control For example, open proxies over encrypted tunnels Angelos Stavrou (astavrou@gmu.edu) 33 / 36
34 Mobile Devices Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion Laptops and smart phones, more or less by definition, are mobile When they re outside the firewall, what protects them? Similar problems with all networked devices (over powerlines, blue-tooth) Is there a solution for mobile devices? (Personal firewalls, secure/close all unnecessary services) Angelos Stavrou (astavrou@gmu.edu) 34 / 36
35 Dynamic Connectivity Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion rely on topology and on static services If there are too many connections, some will bypass the firewall Sometimes, that s even necessary; it isn t possible to effectively firewall all external partners A large company may have hundreds or even thousands of external links, most of which are unknown to the official networking people Angelos Stavrou (astavrou@gmu.edu) 35 / 36
36 Evasion Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion and firewall administrators got too good Some applications weren t able to run Vendors started building things that ran over known ports (i.e HTTP) HTTP usually gets through firewalls and even web proxies... Angelos Stavrou (astavrou@gmu.edu) 36 / 36
Application Firewalls
Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed
More informationNetwork Security - ISA 656 Firewalls & NATs
Network Security - ISA 656 & NATs Angelos Stavrou Types of Schematic of a Conceptual Pieces Packet UDP Types of Packet Dynamic Packet Application Gateways Circuit Relays Personal /or Distributed Many firewalls
More informationCSCI 7000-001 Firewalls and Packet Filtering
CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationFirewalls. Steven M. Bellovin https://www.cs.columbia.edu/~smb. Matsuzaki maz Yoshinobu <maz@iij.ad.jp>
Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki maz Yoshinobu 1 What s a Firewall? A barrier between us and the Internet All traffic, inbound or outbound, must pass
More information12. Firewalls Content
Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationAdvanced Higher Computing. Computer Networks. Homework Sheets
Advanced Higher Computing Computer Networks Homework Sheets Topic : Network Protocols and Standards. Name the organisation responsible for setting international standards and explain why network standards
More informationInternet Security Firewalls
Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Firewall 1 Basic firewall concept Roadmap Filtering firewall Proxy firewall Network Address Translation
More informationΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
More informationInternet Security Firewalls
Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationHow To Protect Your Firewall From Attack From A Malicious Computer Or Network Device
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationFirewalls 1 / 43. Firewalls
What s a Firewall Why Use? Tradttional by Analogy Should We Fix the Network Protocols Instead? Firewall Advantages Schematic of a Firewall Conceptual Pieces The DMZ Positioning Why Administrative Domains?
More informationStateful Inspection Technology
Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls
CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman
More informationUMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY Firewall Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator: Recommended by Director
More informationIPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016
IPv6 Firewalls ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 17 th May 2016 1 Acknowledgements p Contains material from n Stallings and Brown (2015) n Ian Welch (Victoria
More informationallow all such packets? While outgoing communications request information from a
FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,
More informationProxy firewalls. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Proxy firewalls thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Proxy Firewalls How Proxy Firewalls Work Forward / Reverse Proxies Application-Level Proxies Gateways (Circuit-Level
More informationProxies. Chapter 4. Network & Security Gildas Avoine
Proxies Chapter 4 Network & Security Gildas Avoine SUMMARY OF CHAPTER 4 Generalities Forward Proxies Reverse Proxies Open Proxies Conclusion GENERALITIES Generalities Forward Proxies Reverse Proxies Open
More informationProxy Server, Network Address Translator, Firewall. Proxy Server
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
More informationFirewalls and System Protection
Firewalls and System Protection Firewalls Distributed Systems Paul Krzyzanowski 1 Firewalls: Defending the network inetd Most UNIX systems ran a large number of tcp services as dæmons e.g., rlogin, rsh,
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationFirewalls (IPTABLES)
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
More information83-10-41 Types of Firewalls E. Eugene Schultz Payoff
83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system
More informationCryptography and network security
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible
More informationNetwork Security - ISA 656 Intro to Firewalls
Network Security - ISA 656 Intro to s Angelos Stavrou August 28, 2007 What s a Intro to s What s a Why Use s? Traditional s Advantages Philosophies Devices examining traffic making access control decisions
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationChapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding
Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationCisco PIX vs. Checkpoint Firewall
Cisco PIX vs. Checkpoint Firewall Introduction Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.
More informationSecurizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei Firewall
More informationRole of Firewall in Network. Security. Syed S. Rizvi. CS 872: Computer Network Security. Fall 2005
Role of Firewall in Network Security By Syed S. Rizvi CS 872: Computer Network Security Fall 2005 Outline o Background o What is a Firewall? o What does a Firewall do? o Implementation of Firewall o Interaction
More informationFig. 4.2.1: Packet Filtering
4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationIntroduction to Computer Security Benoit Donnet Academic Year 2015-2016
Introduction to Computer Security Benoit Donnet Academic Year 2015-2016 1 Agenda Networking Chapter 1: Firewalls Chapter 2: Proxy Chapter 3: Intrusion Detection System Chapter 4: Network Attacks Chapter
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion
More informationFirewalls. Pehr Söderman KTH-CSC Pehrs@kth.se
Firewalls Pehr Söderman KTH-CSC Pehrs@kth.se 1 Definition A firewall is a network device that separates two parts of a network, enforcing a policy for all traversing traffic. 2 Fundamental requirements
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationIntranet, Extranet, Firewall
Indian Institute of Technology Kharagpur Intranet, Extranet, Firewall Prof. Indranil Sen Gupta Dept. of Computer Science & Engg. I.I.T. Kharagpur, INDIA Lecture 31: Intranet, Extranet, Firewall On completion,
More informationN-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work
N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection
More informationFirewall Design Principles Firewall Characteristics Types of Firewalls
Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationFirewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationFirewalls and Network Defence
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
More informationImplementing Secure Converged Wide Area Networks (ISCW)
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet
More informationSecurity threats and network. Software firewall. Hardware firewall. Firewalls
Security threats and network As we have already discussed, many serious security threats come from the networks; Firewalls The firewalls implement hardware or software solutions based on the control of
More informationWhat is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?
What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to
More informationNetwork Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer
Network Security Chapter 13 Internet Firewalls Network Security (WS 07/08): 13 Internet Firewalls 1 Introduction to Network Firewalls (1) In building construction, a firewall is designed to keep a fire
More informationSOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall
SOFTWARE ENGINEERING 4C03 Computer Networks & Computer Security Network Firewall HAO WANG #0159386 Instructor: Dr. Kartik Krishnan Mar.29, 2004 Software Engineering Department of Computing and Software
More informationUNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04
UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 REVISED 23 FEBRUARY 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
More informationDeploying Layered Email Security. What is Layered Email Security?
Deploying Layered Email Security This paper is intended for users of Websense Email Security who want to add Websense Hosted Email Security to deploy a layered email security solution. In this paper: Review
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationOverview. Packet filter
Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel Overview Security Type of attacks Firewalls Protocols Packet filter Security Security means, protect information (during
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationDistributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski pxk@cs.rutgers.edu
Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More information1 Introduction: Network Applications
1 Introduction: Network Applications Some Network Apps E-mail Web Instant messaging Remote login P2P file sharing Multi-user network games Streaming stored video clips Internet telephone Real-time video
More informationNetworking Basics and Network Security
Why do we need networks? Networking Basics and Network Security Shared Data and Functions Availability Performance, Load Balancing What is needed for a network? ISO 7-Layer Model Physical Connection Wired:
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationGateway Security at Stateful Inspection/Application Proxy
Gateway Security at Stateful Inspection/Application Proxy Michael Lai Sales Engineer - Secure Computing Corporation MBA, MSc, BEng(Hons), CISSP, CISA, BS7799 Lead Auditor (BSI) Agenda Who is Secure Computing
More informationWhat is Firewall? A system designed to prevent unauthorized access to or from a private network.
What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls
More informationGuideline on Firewall
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationIP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...
IP Link Best Practices for Network Integration and Security Table of Contents Introduction...2 Passwords...4 ACL...5 VLAN...6 Protocols...6 Conclusion...9 Abstract Extron IP Link technology enables A/V
More informationSmall Business Server Part 2
Small Business Server Part 2 Presented by : Robert Crane BE MBA MCP director@ciaops.com Computer Information Agency http://www.ciaops.com Agenda Week 1 What is SBS / Setup Week 2 Using & configuring SBS
More informationFirewall Defaults, Public Server Rule, and Secondary WAN IP Address
Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N
More informationChapter 20. Firewalls
Chapter 20. Firewalls [Page 621] 20.1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations 20.2 Trusted Systems Data Access Control The Concept of Trusted Systems
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationEnterprise Security Critical Standards Summary
Enterprise Security Critical Standards Summary The following is a summary of key points in the Orange County Government Board of County Commissioners (OCGBCC) security standards. It is necessary for vendors
More informationSecurity Type of attacks Firewalls Protocols Packet filter
Overview Security Type of attacks Firewalls Protocols Packet filter Computer Net Lab/Praktikum Datenverarbeitung 2 1 Security Security means, protect information (during and after processing) against impairment
More informationSFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004
SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationHow to set up a multifunction device or application to send email using Office 365
How to set up a multifunction device or application to send email using Office 365 Exchange Online 232 out of 424 rated this helpful Applies to: Exchange Online Topic Last Modified: 2015 10 14 You can
More informationEmail Gateways Using MDaemon 6.0 With Dynaworx
Email Gateways Using MDaemon 6.0 With Dynaworx Abstract An email gateway collects, stores, and forwards messages to a primary domain server. A gateway typically has no individual accounts. Email gateways
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationTopics NS HS12 2 CINS/F1-01
Firewalls Carlo U. Nicola, SGI FHNW With extracts from slides/publications of : John Mitchell, Stanford U.; Marc Rennhard, ZHAW; E.H. Spafford, Purdue University. CINS/F1-01 Topics 1. Purpose of firewalls
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More information